CISA Expands KEV Catalog with Six Actively Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) continues its momentum in strengthening federal and enterprise cybersecurity posture, announcing new additions to its Known Exploited Vulnerabilities (KEV) Catalog on October 14–15, 2025. These updates spotlight six actively exploited flaws impacting Microsoft Windows, Rapid7 Velociraptor, and SKYSEA Client View, Adobe Experience Manager each confirmed in live attack campaigns.

Why This Update Matters

CISA’s KEV catalog is one of the most authoritative vulnerability tracking databases in the world. It lists vulnerabilities confirmed to be exploited in real-world attacks, compelling federal agencies to patch them under Binding Operational Directive (BOD) 22‑01 and urging private organizations to follow the same timeline.
The message here is clear — these vulnerabilities are not theoretical. They are being used right now in cyberattacks.

Highlights from the October 14–15 Additions

CVE‑2025‑24990 — Microsoft Windows Agere Modem Driver Elevation of Privilege

• Component: ltmdm64.sys – Agere Modem driver (bundled with all Windows releases, including Server 2025).
• Weakness: Untrusted pointer dereference (CWE‑822).
• Impact: Local privilege escalation to SYSTEM level [1][2][3].
• CVSS Score: 7.8 (High).
• Exploitation Status: Confirmed active exploitation; possibly leveraged for endpoint detection and response (EDR) evasion.
• Technical Summary:
  The driver contains improperly validated pointer operations in privileged kernel code, allowing a low‑privilege local user to dereference arbitrary memory and run code with kernel privileges. Because the Agere Modem driver ships with all Windows systems—even when no modem hardware is present—virtually every system is affected.
  Microsoft removed this driver entirely in the October 2025 Patch Tuesday update. However, dependent fax‑modem hardware will stop functioning after patching.
• Mitigation: Apply the October cumulative update or manually remove ltmdm64.sys from system32\drivers

CVE‑2025‑59230 — Windows RasMan (Remote Access Connection Manager) Elevation of Privilege

• Component: Remote Access Connection Manager (RasMan).
• Weakness: Improper access control.
• Impact: Local privilege escalation to SYSTEM.
• CVSS v3.1: 7.8 (Important).
• Exploitation Status: Actively exploited zero‑day.
• Technical Summary:
  This vulnerability stems from incorrect privilege checks when RasMan handles connection session resources. Exploiting it allows an authenticated local attacker to gain SYSTEM privileges, enabling full control of a device. It is the first RasMan vulnerability observed exploited in the wild.
  Attackers use this flaw for privilege escalation within chained exploitation sequences following initial access.
• Mitigation: Install the October 14, 2025 Windows patch. Limit local code execution privileges and enable telemetry/EDR monitoring for privilege‑escalation behavior.

CVE‑2025‑6264 — Rapid7 Velociraptor Remote Code Execution

• Component: Rapid7 Velociraptor endpoint agent (≤ v0.74.3).
• Weakness: Incorrect default permissions (CWE‑276).
• Impact: Arbitrary code execution and complete endpoint takeover.
• CVSS: 8.8 (High).
• Exploitation Status: Actively exploited in ransomware campaigns.
• Technical Summary:
  The misconfigured default access permissions in Velociraptor’s artifact‑collection framework allow attackers to execute arbitrary VQL queries as privileged operations. Once exploited, threat actors can deploy ransomware (Warlock, LockBit, Babuk) or exfiltrate sensitive data. Cisco Talos confirmed exploitation beginning August 2025 across ESXi and Windows infrastructure.
• Mitigation: Update to the latest Velociraptor build (≥ v0.75), review ACL settings, and restrict privileged artifact execution.

CVE‑2016‑7836 — SKYSEA Client View Remote Code Execution

• Component: SKYSEA Client View Management Software (≤ v11.221.03).
• Weakness: Improper authentication on TCP management connection.
• Impact: Remote code execution by unauthenticated network attacker.
• CVSS: 9.8 (Critical).
• Exploitation Status: Reemerged in 2025 exploitation chains; active in current ransomware playbooks.
• Technical Summary:
  The vulnerability arises from unauthenticated TCP request handling between SKYSEA’s client and its management server. Attackers can inject unauthorized commands remotely, leading to arbitrary code execution on affected endpoints. Initially disclosed in 2016, but unpatched legacy deployments have been observed exploited in targeted attacks in 2025.
• Mitigation: Upgrade to the latest SKYSEA release (post‑11.221.03) and restrict management port exposure.

CVE‑2025‑47827 — IGEL OS Secure Boot Bypass

• Component: igel-flash-driver module (IGEL OS < v11).
• Weakness: Improper cryptographic signature verification.
• Impact: Secure Boot bypass enabling kernel‑level tampering.
• CVSS: 8.4 (High).
• Exploitation Status: Publicly exploited; proof‑of‑concept available.
• Technical Summary:
  The igel-flash-driver incorrectly validates cryptographic signatures on SquashFS root filesystem images. An attacker with physical or provisioning access can load a malicious image and boot the system, bypassing UEFI Secure Boot. This allows deployment of kernel‑level rootkits or credential‑harvesting modules.
  The flaw particularly affects thin clients in healthcare and education environments.
• Mitigation: Upgrade to IGEL OS 11 or later, which enforces proper signature verification; secure local boot media to prevent malicious image insertion.

CVE-2025-54253 — Adobe Experience Manager (AEM) Forms on JEE Remote Code Execution

• Component: Adobe Experience Manager (AEM) Forms on Java Enterprise Edition (JEE) up to version 6.5.23.0
• Weakness: OGNL (Object-Graph Navigation Language) Injection due to Struts2 development mode misconfiguration (CWE-16: Configuration)
• Impact: Remote unauthenticated attackers can bypass authentication and execute arbitrary code remotely
• CVSS Score: 10.0 (Critical)
• Exploitation Status: Public proof-of-concept available; high risk for real-world attacks
• Attack Vector: Network-based; no user interaction or privileges required

Technical Summary:

CVE-2025-54253 is a critical zero-day vulnerability arising from an insecure debug servlet (/adminui/debug) left enabled in AEM Forms on JEE. This servlet unsafely evaluates user-supplied OGNL expressions as Java code without proper validation or authentication. An attacker can craft a malicious HTTP request embedding OGNL payloads to execute arbitrary system commands on the vulnerable server remotely.

This vulnerability can be exploited with low complexity and offers an attacker full control over the affected server. Exploitation can lead to complete system compromise, data breaches, unauthorized persistence, and disruption of critical digital experience workflows managed by AEM.

Exploit Details:

• Attackers generate a malicious serialized Java payload using tools like ysoserial.
• They deliver this payload inside HTTP GET requests to the exposed debug endpoint.
• The server evaluates the OGNL expression, triggering arbitrary code execution.
• Exploitation can include executing shell commands, deploying backdoors, and exfiltrating sensitive data.

Affected Configurations:

• AEM Forms on JEE versions 6.5.23.0 and earlier with the debug endpoint accessible.
• Standalone deployment on JBoss or other J2EE servers is especially vulnerable.
• Exposed admin/debug panels or publicly accessible AEM instances increase risk.

Mitigation:

• Apply Adobe’s urgent security update APSB25-82 released August 5, 2025.
• Disable or restrict access to the /adminui/debug servlet to trusted personnel only.
• Employ network-level controls to limit internet exposure of AEM management interfaces.
• Monitor for suspicious GET requests with unusual parameters targeting the debug endpoint.

BOD 22‑01: Required Action

Under CISA’s Binding Operational Directive 22‑01, all federal agencies must remediate these vulnerabilities no later than November 4, 2025. Private organizations, while not legally bound, are strongly encouraged to:

• Apply patches immediately or deploy compensating controls.
• Audit Velociraptor agent permissions and disable unused administrative endpoints.
• Employ network segmentation for legacy systems running SKYSEA or IGEL OS.
• Monitor for suspicious HTTP, RASMan, or driver-level activity associated with recent Microsoft exploitation chains.

Key Takeaway

The October 2025 KEV update underscores a persistent truth — attackers will always exploit trusted tools and unpatched, familiar systems before investing in zero‑day research.
Security teams must prioritize these high‑confidence, actively exploited CVEs, integrating KEV intelligence into patch management programs and threat‑hunting workflows.

As the KEV catalog expands rapidly, it remains an essential real‑time barometer of the vulnerabilities that matter most. Staying current with its updates is the difference between being an observer and becoming a target.